Released: Aug 14, 2025

v7.3.0 での更新項目

機能

• FAPI 2.0 Profile Certification - IdentityServer is now officially certified as conformant with the FAPI 2.0 Security Profile.
  • Added a new option for clock skew when validating JWTs.
  • Added the PAR endpoint to the discovery doc's mTLS aliases.
  • Added support for the DPoP header at the PAR endpoint.
  • Port number in mTLS configuration is now respected.
  • Adjusted Multiple DPoP Token Error.
  • Added new options for allowed signing algorithms for JWTs and DPoP proof tokens for scenarios when the supported...

Released: Jun 4, 2025

v7.2.4 での更新項目

機能

• Added a null-check for the client before coordinating session lifecycle.

Released: May 7, 2025

v7.2.3 での更新項目

不具合の修正

• Fixed a regression where multiple WWW-authenticate headers were issued.

Released: Apr 30, 2025

v7.2.2 での更新項目

機能

• Hardened the security of the default configuration that controls the redaction in logs of parameters passed to the Pushed Authorization (PAR) and Authorize endpoint, ensuring that client secrets and client assertions are not logged by default.
  • In particular, the default value of AuthorizeRequestSensitiveValuesFilter and PushedAuthorizationSensitiveValuesFilter have been changed to both be ["client_secret", "client_assertion", "id_token_hint"].
  • PAR requests sometimes are handled by the same...

Released: Apr 16, 2025

v7.2.1 での更新項目

不具合の修正

• Fixed a bug where a private_key_jwt client authentication token would be rejected if it had no typ header, even if strict validation of such tokens was not enabled.

Released: Mar 18, 2025

v7.2.0 での更新項目

機能

• Optional strict validation of private_key_jwt audiences, implementing RFC 7523 bis.
  • (RFC 7523 bis is a proposed update to RFC 7523 in which two new requirements for private_key_jwt client assertions are proposed).
• Optional caching of the discovery endpoint.
• Less log noise when issuing the use_dpop_nonce response from the token endpoint.

不具合の修正

• Bug fixes and optimizations.